getting started : MOA-2.4.1 for USB

Create the boot-images

This step must be done by an administrator of a 32 bit Windows like XP or 2003. If you must use Vista use "run as" administrator

Create a dir on a drive with NTFS without spaces in the name.
Download and add this two files : X13-05665.img and moa241-setup.exe
Run the setup once and follow instructions. For latest instructions look here
Here is a video tutorial
When the first stage of the setup is done - close the setup and relaunch it. Then run
menu > postprocessing > infcache
menu > postprocessing > create standard iso
menu > postprocessing > ram-image bandit
menu > postprocessing > ram-image max

You should now have 3 iso-files in the directory iso-out.
You will need all of them ...

Create the boot-images for forensic use

This step must be done by an administrator of a 32 bit Windows like XP or 2003. If you must use Vista use "run as" administrator

Create a new directory - copy all zip files and the moa241-setup.exe from first directory into it and run the setup again.
Tthis time say YES when asked for about the forensic build.
When the first stage of the setup is done - close the setup and relaunch it. Then run
menu > postprocessing > infcache
menu > postprocessing > create standard iso
menu > postprocessing > ram-image bandit
rename the output isos so that you can tell them from the regular ones.

Get practice 1

using cheatcodes

Boot the MOA-bandit.iso inside a virtual machine
At boot-time you have a configurable time-window when you can set boot-parameters.
Like with Linux-LiveCDs this is called the cheatcode-prompt.

It is highly recommended that you get used to this to get best results.
Test the created Iso-files inside VMs with varying the amount of RAM.

(this is latest state as of moa.exe version 2.4-036)

Get practice 2

using the "moa-is-at-home.tag"

Try this once:
Boot the MOA-bandit.iso inside a virtual machine and add a disk.
Format that disk with NTFS
Create a blank file named "moa-is-at-home.tag" in the root of the disk and reboot.
Notice what happens.
Put some file on the desktop - a shortcut or whatever ...
Reboot
Notice what happens.
Delete the tag-file and reboot.
Notice what happens.

Get practice 3

load on demand

Try this once:
Use the same constellation from last lesson. Set the tag-file so that you boot into your persistant home.
Download a small firewall named "ghostwall" from here
Then move that file to the directory R:\_sfx_
Click the cmd-icon on the desktop and run
R:\_sfx_\ ghostwall_setup.exe /silent
Next test your new firewall - try the "block all" button ...
Ok - now lets make a nice shortcut on the desktop - (right click on desktop > create new shortcut)
Point the shortcut to R:\_sfx_\ ghostwall_setup.exe and add the parameter /silent
Give the desktop shortcut a nice name like "start firewall"
Reboot
Try your new desktop-icon

Get practice 4

low RAM conditions

Try this once:
Use the same constellation from last lesson. Set the tag-file so that you boot into your persistant home.
Set the memory for the virtual machine to 128 MB.
Use the MOA-std.iso and boot into default cheatcode.
MOA should boot into explorer and everything should work normally.
Notice that no ramdrive is used.
Next remove the "moa-is-at-home.tag" and reboot with default cheatcode.
Notice that this time a ramdrive is used and the system maybe unstable.

Now reduce the RAM of the virtual machine to 96 MB.
Very likely MOA will fail during boot. The system is unusable - so reboot again.
This time use cheatcode "shell"

Now reduce the RAM of the virtual machine 64 MB.
This time use cheatcode "cmd"

Just for fun try the same lesson with the MOA_bandit.iso

Get practice 5

automated tasks

Try this once:
Use the same constellation from last lesson. Set the tag-file so that you boot into your persistant home.
This assumes you still have the file R:\_sfx_\ ghostwall_setup.exe

Browse to the directory R:\bin with explorer and create a new file named "lastbatch.cmd"
Open it and type this 3 lines

echo off
R:\_sfx_\ghostwall_setup.exe /silent
exit

save the file and reboot

Get practice 6

automated interactive tasks

Try this once:
Use the same constellation from last lesson. Set the tag-file so that you boot into your persistant home.


Browse to the directory R:\bin with explorer and create a new file named "interactive.cmd"
Open it and type this 2 lines

ipconfig /all
pause

save the file and reboot

Advanced 1 - coldclone with vmware-vdiskmanager

video

the video was created with MOA 2.2 - early version - the basics still apply
you need to have any version of Workstation in your build

work in progress

Advanced 2 - in-place P2V

old video

work in progress

Advanced 3- using an ESX-VM to access VMFS

video

you need current MOA with esx-tools-016
you need Workstation 6.5.2
you need a ESX-VM

work in progress

Which device to use ???

Get a USB device

See the next table to see how you combine this two "modules" bandit.img and moa24.tc
The boots from column shows where the bandit.img is booted from
The personal files column shows where the personal files inside the truecrypt-container moa24.tc are stored
The RAM column shows how much RAM is at least required to boot this constellation
The Performance column shows some benchmarks taken on a HP-notebook.
Don't look at absolute values here - just compare the times.
Your mileage will vary depending on the machine you boot and the speed of your USB-device

some hosts only boot with USB 1 speed

- if your machine does so too - better boot from CD to safe time

this is the cheapest way to get started - bad performance

middle-class usb-stick

are you paranoid

- then this is the option for you

fastest stick I have ever seen

best performance
( when booting from USB is wanted)
this is a 32 GB SSD-disk in an USB-enclosure

good performance - large storage capacity for the money

requires a DHDCP / TFTP server in the local network
clever solution if you work most of the times in your own network

old-fashioned

anyway it is recommended to create a standard ISO with Converter for P2V use

just for comparison ...
fastest constellation
only possible if installing to a local harddisk is allowed - like with a notebook dedicated to MOA

1. boot - Create the container for your personal files

for the next five boots you need a machine with at least 768 MB RAM and the MOA24-max CD

first boot into MOA

in the next 5 boots you will create your personal Workspace

prepare environment

After booting call truecrypt-format from the startmenu.



specify a path for the Container -name the file moa24.tc and put it into the root of ANY local disk



accept default encryption


set the size of the container - for this sample build take 2.5 Gb or more



set the password



make sure you select NTFS as filesystem



after a while the volume is ready



call "truecrypt" from the startmenu and mount the new container to the letter Q:



with explorer copy the contents of X:\moahome to Q: so that it looks like this




On every subsequent boot MOA will find this container and mount it instead of a RAMdrive - this means that from next boot on all changes to R: will be persistant.

In case you want to install Workstation 6.5.2 next
open Q:\bin\moa.ini and make sure you have this line

start_vmware=no

When done - reboot.
During next boot you should see that MOA auto selects the cheatcode "tc_auto"

2. boot - install Workstation 6.5.2

Download VMware-workstation-6.5.2-156735.exe

Install Workstation 6.5.2 to R:\vm\ws652. Be patient - this takes a long time.
Sometimes the installer does not find vmnetbridge.dll - in this case just point it to the directory R:\vm\ws652
After installation do not allow reboot and run this batch or copy the files manually.

copy /Y X:\i386\SYSTEM32\DRIVERS\hcmon.sys "R:\vm\ws652\hcmon.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\VMkbd.sys "R:\vm\ws652\VMkbd.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmnet.sys "R:\vm\ws652\vmnet.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmnetadapter.sys "R:\vm\ws652\vmnetadapter.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmnetbridge.sys "R:\vm\ws652\vmnetbridge.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmnetuserif.sys "R:\vm\ws652\vmnetuserif.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmx86.sys "R:\vm\ws652\vmx86.sys"
copy /Y X:\i386\SYSTEM32\vmnat.exe "R:\vm\ws652\vmnat.exe"
copy /Y X:\i386\SYSTEM32\vmnc.dll "R:\vm\ws652\vmnc.dll"
copy /Y X:\i386\SYSTEM32\vmnetbridge.dll "R:\vm\ws652\vmnetbridge.dll"
copy /Y X:\i386\SYSTEM32\vmnetdhcp.exe "R:\vm\ws652\vmnetdhcp.exe"
copy /Y X:\i386\SYSTEM32\vnetinst.dll "R:\vm\ws652\vnetinst.dll"
copy /Y X:\i386\SYSTEM32\vnetlib.dll "R:\vm\ws652\vnetlib.dll"

In case you want to install Workstation 6.0.5 next
open R:\bin\moa.ini and make sure you have this line

start_vmware=no

When done - reboot.
During next boot you should see that MOA auto selects the cheatcode "tc_auto"

3. boot - install Workstation 6.0.5


Download VMware-workstation-6.0.5-109488.exe

Install Workstation 6.0.5 to R:\vm\ws605. Be patient - this takes a long time.
Sometimes the installer does not find vmnetbridge.dll - in this case just point it to the directory R:\vm\ws605
After installation do not allow reboot and run this batch or copy the files manually.

copy /Y X:\i386\SYSTEM32\DRIVERS\hcmon.sys "R:\vm\ws605\hcmon.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\VMkbd.sys "R:\vm\ws605\VMkbd.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmnet.sys "R:\vm\ws605\vmnet.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmnetadapter.sys "R:\vm\ws605\vmnetadapter.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmnetbridge.sys "R:\vm\ws605\vmnetbridge.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmnetuserif.sys "R:\vm\ws605\vmnetuserif.sys"
copy /Y X:\i386\SYSTEM32\DRIVERS\vmx86.sys "R:\vm\ws605\vmx86.sys"
copy /Y X:\i386\SYSTEM32\vmnat.exe "R:\vm\ws605\vmnat.exe"
copy /Y X:\i386\SYSTEM32\vmnc.dll "R:\vm\ws605\vmnc.dll"
copy /Y X:\i386\SYSTEM32\vmnetbridge.dll "R:\vm\ws605\vmnetbridge.dll"
copy /Y X:\i386\SYSTEM32\vmnetdhcp.exe "R:\vm\ws605\vmnetdhcp.exe"
copy /Y X:\i386\SYSTEM32\vnetinst.dll "R:\vm\ws605\vnetinst.dll"
copy /Y X:\i386\SYSTEM32\vnetlib.dll "R:\vm\ws605\vnetlib.dll"

4. boot - install VirtualBox

Download VirtualBox-2.1.4-42893-Win_x86.msi

and install it to R:\vm\virtualbox - no other steps required

5. boot - prepare esx-tools-016

create a directory R:\_sfx_ and download this files into it:

virtualbox-lodr.exe
starwind-lodr.exe
nfsd-lodr.exe
esx-tools-016.exe

Next create a directory named R:\src - to safe disk space in the container
this can be a junction point to a directory on any local disk.

the following list of files is only needed once - that is why it is recommended to
store them all in a directory on a local disk instead of inside the container.

VMware-Vim4PS-1.0.0-113525.exe
VMware-vix-disklib-e.x.p-99191.i386.exe
VMware-VIRemoteCLI-3.5.0-104314.exe
VMware-converter-3.0.3-89816.exe
VMware-VMvisor-InstallerCD-3.5.0_Update_4-153875.i386.iso

WindowsServer2003-KB926139-v2-x86-ENU.exe

VMware-viclient.exe - connect to a local ESX and download from the webpage

No matter where you actually store this files - your directory R:\src should now have at least this files

If you got everything run R:\_sfx_\esx-tools-016.exe (without parameter)
Follow instructions.
When finished you should now have two new wim-files and several new directories.
add2vm-016.wim
add2win-016.wim
Put them into R:\_sfx_
You do not need those wims in regular use - only when you plan to create a CD-only build.

You will notice a directory R:\add2win.
Keep it and do not mess with it.
It contains the files needed to run dotnet2.

The new directory R:\programs\vmware contains all the VMware apps you just installed like ViClient and Converter.
Keep it and do not rename anything in here.

In case you want to run Workstation on any further boot
open R:\bin\moa.ini and make sure you have this line

start_vmware=yes

When done - reboot.

Customize it - theory

Next table lists the MOA bootup-procedure and shows how the single steps can be influenced
Red text references a line in the MOA-configuration file moa.ini
Some actions are triggered when a special named file exists.
Some actions require user-input - like ask for a file or path.

read WINNT.SIF and load specified image into RAM

depends on the driver-package you added

if HKLM\SYSTEM\ControlSet001\Services\MountMgr\NoAutoMount = 1

if HKLM\SYSTEM\Setup\CmdLine = PELOADER.EXE *

if HKLM\SYSTEM\Setup\CmdLine = PELOADER.EXE Systemroot%\system32\shell\moa.exe

if exist X:\i386\system32\shell\moa.ini set moa-ini-path = X:\i386\system32\shell

if exist X:\i386\system32\shell\firstbatch.cmd               (needs moa2.4-037.exe)

read HKLM\SOFTWARE\sanbarrow\allow_start

read start_kiosk=  in X:\i386\system32\shell\moa.ini
read moa_timeout=in X:\i386\system32\shell\moa.ini

read default_cheatcode= in X:\i386\system32\shell\moa.ini

if start_kiosk=yes in X:\i386\system32\shell\moa.ini hide moa.exe-gui

use default_cheatcode= and preset cheatcode-prompt

if found moa24.tc - preset cheatcode-prompt with tc_auto
if found moa24.vmdk - preset cheatcode-prompt with vmdk_auto
if found moa-is-at-home.tag - preset cheatcode-prompt with remount

wait moa_timeout=5000 milliseconds - then set current value for default_cheatcode=

if default_cheatcode=invalid   back to prompt
if default_cheatcode=           back to prompt
if default-cheatcode=halt       shutdown
if default_cheatcode=reboot   reboot
if default_cheatcode=cmd      open a cmd - back to prompt when done
if default_cheatcode=x          open explorer - back to prompt when done
if default_cheatcode=regedit  run regedit - back to prompt when done
if default_cheatcode=shell     run diskmanagement, regedit and cmd - back to prompt
if default_cheatcode=help      display help - back to prompt when done

if default-cheatcode=vmdk_auto    mount moa24.vmdk to R:\
if default_cheatcode=remount       mount volume with moa-is-at-home.tag to R:\
if default_cheatcode=minimal   create , format and mount a 16 MB ramdisk to R:\
if default_cheatcode=mini        create , format and mount a 16 MB ramdisk to R:\
if default_cheatcode=safe        create , format and mount a 16 MB ramdisk to R:\
if default_cheatcode=tiny         create , format and mount a RAM/5 ramdisk to R:\
if default_cheatcode=lean        create , format and mount a RAM/4 ramdisk to R:\
if default_cheatcode=big          create , format and mount a RAM/3 ramdisk to R:\
if default_cheatcode=splendid  create , format and mount a RAM/2 ramdisk to R:\
if default_cheatcode=tc_auto    ask for password and mount moa24.tc to R:\

if default_cheatcode=tc           ask for password and mount any truecrypt-container to R:\
if default_cheatcode=ramfile   ask for a virtual diskand mount it to R:\
if default_cheatcode=disk       change the driveletter of one of the detected volumes to R:\

if drivetype R:\ = ramdisk populate R:\ with contents of X:\moahome\
if drivetype R:\ = fixed create essential directories if they do not exist

if start_kiosk=no and if exists R:\bin\moa.ini set moa-ini-path = R:\bin

if start_explorer=early start explorer

if start_earlybatch=yes run moa-ini-path\lastbatch.cmd

if mount_tdrive=early mount R:\_sfx_tdrive.cmd to driveletter T:\
if wim1_mount=early read wim1_path= and mount named file to R:\vm\vmware

if wim2_mount=early read wim2_path= and mount named file to R:\vm\converter

if start_prenetworkbatch=yes run moa-ini-path\prenetworkbatch.cmd

if start_vmware=yes and if not exist r:\vm\vmware\vmplayer.exe - select a directory

if start_vmware=yes and if not existr:\vm\vmware\vmplayer.exe - select a wim

if start_vmware=yes and exist r:\vm\vmware\vmplayer.exe

if start_vmware=yes get version r:\vm\vmware\vmplayer.exe

if start_vmware=yes and version is known inject network drivers

if exist hwpnp.cmd execute it - else run hwpnp.exe with default parameters

read vmnet1_name= and read vmnet1_IP= and set IP for virtual adapter 1
read vmnet8_name= and read vmnet8_IP= and set IP for virtual adapter 8
read moa_hostname= and set hostname
read moa_workgroup= and set Workgroup-name

if start_vmware=yes and version is known load it

if start_eventlog=yes start EventLog
if start_sshd=yes start Secure Shell Server
if start_audiosrv=yes start HDaudbus service

if start_msi=yes start MSI-service

if mount_tdrive=late mount R:\_sfx_tdrive.cmd to driveletter T:\
if mount_udrive=late mount R:\_sfx_tdrive.cmd to driveletter U:\
if mount_vdrive=late mount R:\_sfx_tdrive.cmd to driveletter V:\

if start_wireless=yes

if start_latebatch=yes run moa-ini-path\latebatch.cmd

if exists R:\bin\lastbatch.cmd

if exist R:\bin\interactivebatch.cmd

if process explorer exists kill it and restart it

if start_explorer=yes

if start_converter=yes

if start_kiosk=no activate buttons in moa.exe

Customize it - the configuration files

MOA uses two fixed driveletters X:\ and R:\

X:\ is the static boot-image
R:\ is the writeable truecrypt-container

X:\ is available early at boot
R:\ is not available before you decided what R:\ is actually going to be - that means after cheatcode-prompt

X:\ has very limited free space
R:\ has no serious size limitations

X:\ must be used for pre cheatcode configurations
R:\ for everything after cheatcode prompt

So MOA has early config in X:\i386\system32\shell and late config in R:\bin.

No matter which path is actually used the important files are

moa.ini
earlybatch.cmd
prenetworkbatch.cmd
hwpnp.cmd
latebatch.cmd
lastbatch.cmd
interactivebatch.cmd

moa.ini   earlybatch.cmd   prenetworkbatch.cmd   hwpnp.cmd   latebatch.cmd   lastbatch.cmd   interactivebatch.cmd

configuration - moa.ini



[BOOT]
defaultCheatCode=lean
defaultRAMdriveSize=8
moahome_ramsize=16

start_sshd=yes
start_vmdks=no
start_vmware=yes
start_vgasafe=yes
start_audiosrv=yes
start_eventlog=yes
start_msi=yes
moa_timeout=5000
start_explorer=yes
start_debug=no
start_kiosk=no
start_KioskVM=no
start_vcr4moa=yes

start_earlybatch=yes
start_latebatch=no
start_prenetworkbatch=no

[NETWORK]
default_NetMode=

vmnet1_IP=192.168.52.1
vmnet1_name=VMware Network Adapter VMnet1
vmnet8_IP=192.168.132.1
vmnet8_name=VMware Network Adapter VMnet8
moa_hostname=moa
moa_workgroup=workgroup

[AUTOMOUNT]
mount_tdrive=no
mount_udrive=no
mount_vdrive=no

wim1_mount=no
wim1_path=r:\_sfx_\ws602ripped.wim

file = moa.ini
initial path = X:\i386\system32\shell
optional path = R:\bin


Optional path will be used if R:\bin\moa.ini exists and if start_kiosk=no

this is the main configuration file

the sample to the left is a reasonable configuration for this build

make sure you enable loading of VMware for regular use

configuration - earlybatch.cmd

echo off
del /f /s /q r:\temp\*.*
rmdir /s /q r:\temp
md r:\temp

del r:\home\moon\desktop\starwind.lnk
del r:\home\moon\desktop\player.lnk
del r:\home\moon\desktop\workstation.lnk
del r:\home\moon\desktop\nfsd.lnk
del r:\home\moon\desktop\virtualbox.lnk
del r:\home\moon\desktop\viclient.lnk
del r:\home\moon\desktop\fastscp.lnk
del r:\home\moon\desktop\vmx.lnk
del r:\home\moon\desktop\zenmap.lnk
del r:\home\moon\desktop\powershell.lnk
del r:\home\moon\desktop\vitoolkit.lnk
del r:\home\moon\desktop\vmware-cmd.lnk
del "r:\home\moon\desktop\nfs server.lnk"

rmdir /s /q "R:\programs\StarWind Software\StarWind"
rmdir /s /q "R:\programs\nfsd"
exit

file = earlybatch.cmd
path = active moa.ini directory
will be executed if present AND if enabled in moa.ini

this batch can be used to clean up from last run.
It is recommended to clean up temp and directories
like the starwind program dir. This makes the unattended install later easier.

It can also be used to remove desktop icons

This batch MUST exit cleanly

configuration - prenetworkbatch.cmd

echo off
...
inject drivers into X:\i386\...
mount wims, vmdks, containers
...
exit

file =prenetworkbatch.cmd
path = active moa.ini directory
will be executed if present AND if enabled in moa.ini

use this for tasks that must be done before
hardware plug'n'play and loading of VMware Workstation or VMplayer
This batch MUST exit cleanly

configuration - hwpnp.cmd

HWPnp.exe -all +PCI\CC_03 +PCI\CC_04 +HDAUDIO +ACPI\GENUINEINTEL +ACPI\AuthenticAMD_-_x86_Family_15 +ACPI\ACPI0003 +ACPI\PNP0C0A /cid /p /log+

file =hwpnp.cmd
path = R:\bin
will be executed if present

this example - all in one line - prevents loading drivers for any other Nics than the ones from VMware - MOA does not use any external network - only the internal network shared with VMs is active

use this file in case you have issues with some special machines - documentation for hwpnp.exe by Paraglider is available on his site - see

general rule of thump:
rough hardware detection = fast boot
indepth detection = long boot

per default MOA tries to use a good compromise between boot-time and detection

This batch MUST exit cleanly

configuration - latebatch.cmd

echo off
...
put your custom commands here
...
exit

file = latebatch.cmd
path = active moa.ini directory
will be executed if present AND if enabled in moa.ini


use this batch to run your custom apps in kiosk-mode
This batch MUST exit cleanly

configuration - lastbatch.cmd

echo off
rem r:\programs\nmap\zenmap-lodr.exe
rem R:\vm\virtualbox\virtualbox-lodr.exe
rem r:\_sfx_\starwind-lodr.exe
rem r:\_sfx_\nfsd-lodr.exe
rem start r:\_sfx_\esx-tools-016.exe run
exit

file = lastbatch.cmd
path = R:\bin
will be executed if present

in this file you can automate loading of the listed apps for convenience sake - to speed up boot-time keep it short.

Iin kiosk-mode use this to reboot or shutdown

This batch MUST exit cleanly

configuration - interactivebatch.cmd

ipfonfig /all
pause

file = interactivebatch.cmd
path = R:\bin
will be executed if present

if you want to run interactive custom commands put them here

using a dedicated USB-disk instead of the truecrypt-container

Maybe you don't want to enter a password during boot or are not satisfied with the size-limitations of a container
You can then dedicate a complete USB-disk for your personal workspace.
To do this - mount the container you already created and copy all of its content into the root of a blank USB-disk.
To use it - enter cheatcode disk at cheatcodeprompt - this will popup diskmanagement.
You should now find your USB-disk and assign driveletter R:
When done close diskmanagement and MOA continues booting - using your files on the USB-disk.

For a non-interactive bootup - just put a tag-file named moa-is-at-home.tag into the root of your disk.
To prevent automatic use just remove or rename the tag-file again.

At boot-time MOA searchs for this tag - when it is present on any local disk MOA presets the cheatcode remount
So if you see the cheatcode remount in the cheatcode-prompt this means your local disk is alreadsy detected and ready to be used.

The MOA-plugins

moa-24-*-system.inf
contains all entries for [SetupReg.AddReg] After boot this becomes HKEY_LOCAL_MACHINE\SYSTEM
The name of the hive is "...pebuilder\bartpe\i386\system32\setupreg.hiv"

moa-24-*-software.inf
contains all entries for [Software.AddReg] execpt the classes-section. After boot this becomes HKEY_LOCAL_MACHINE\SOFTWARE
The name of the hive is "...pebuilder\bartpe\i386\system32\config\software"

moa-24-*-classes.inf
contains only entries for [Software.AddReg] classes-section. After boot this becomes HKEY_LOCAL_MACHINE\SOFTWARE\Classes
The name of the hive is "...pebuilder\bartpe\i386\system32\config\software"

moa-24-*-default.inf
contains all entries for [Default.AddReg] After boot this becomes HKEY_CURRENT_USER
The name of the hive is "...pebuilder\bartpe\i386\system32\config\default"

moa-24-*-sanbarrow.inf
sets moa.exe boot-options and copies moa.exe, essential cmds and ini-files

moa-24-*-files-windows.inf
this essential plugin copies the files needed for the explorer shell - this files are taken from the windows-source.
It also copies all MOA-required files like vdk.exe or imdisk ...
After build this files are in "...pebuilder\bartpe\I386"
After boot this files are in "X:\i386"

moa-24-*-files-moahome.inf
this plugin is only required for CD-only builds - though you should not disable it in most cases
After build this files are in "...pebuilder\bartpe\moahome"
After boot this files will be used to populate the ramdisk - in case one is used

moa-24*-z-dont-mount-anything.inf
this optional plugin disables the automatic mounting of local volumes

moa-24*-z-multiprocessor.inf
this optional plugin enables SMP-support - don't use it for P2V-builds if you need a wide compatibilty with old machines

moa-24*-wmi.inf
this optional plugin enables WMI-support - this plugin requires to be used with the hostname MOA.
Don't use this plugin if you must change the hostname

how to add your apps

this is a short overview only - in many cases it is as easy as "just install it"
Then reboot and see if it still works.
If not - go to Plan B - if it still does not work go to Plan C and so on.